tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
VPN Connections
    Documentation
    Download PDF

    Configuring a Cisco Firewall

    Last updated: 2024-01-09 14:20:07
    Download PDF
      To connect your IDC to a Tencent Cloud VPC via IPsec VPN connection, you need to configure the VPN on the gateway device of your local IDC after configuring the VPN gateway on Tencent Cloud. This document introduces how to configure the VPN on a Cisco firewall of the local IDC.
      Note:
      This document introduces the common configurations of Cisco ASA firewalls.
      Replace all the IPs, ports, and other parameters given in this document with your actual values for configurations.

      Prerequisites

      You have created a VPN connection as instructed in Creating VPN Gateways in a Tencent Cloud VPC, and configured the VPN tunnel as instructed in Creating VPN tunnel.

      Data Preparations

      The following table describes the IPsec VPN configuration data.
      Configuration item
      Sample value
      Network
      VPC information
      Subnet CIDR block
      10.1.1.0/24
      Public IP of the VPN gateway
      159.xx.xx.242
      IDC information
      Private CIDR block
      172.16.0.0/16
      Public IP of the gateway
      120.xx.xx.76
      IPsec VPN connection
      IKE
      Version
      IKEV1
      Identity verification method
      Pre-shared key
      PSK
      tencent@123
      Encryption agorithm
      AES-128
      Authentication algorithm
      MD5
      Negotiation mode
      main
      Local ID
      IP address: 120.xx.xx.76
      Remote ID
      IP address: 159.xx.xx.242
      DH group
      DH2
      IKE SA lifetime
      86400
      IPsec
      Encryption algorithm
      AES-128
      Authentication algorithm
      MD5
      Packet encapsulation mode
      Tunnel
      Security protocol
      ESP
      PFS
      disable
      IPsec SA lifetime (in seconds)
      3600 s
      IPsec SA lifetime (in KB)
      1843200 KB
      Firewall
      Interface
      Nameif
      outside

      Directions

      SPD policy-based VPN (IKEv1)
      Route-based VPN (IKEv1)
      SPD policy-based VPN (IKEv2)
      Route-based VPN (IKEv2)
      1. Log in to the command-line interface of the firewall device.
         ssh -p admin@10.XX.XX.56        
      
      # Use the SSH command to log in to the configuration interface of the firewall.
      
      User Access Verification
      Username: admin
      Password: ********
      Type help or '?' for a list of available commands.   
      
      # Enter the username and password to enter the user mode.
      
      ASA>  
      ASA> en  
      Password:       
      
      # Input “enable” and its password to enter the privileged EXEC mode in which you can view information only.
      
      ASA# conf t   
      ASA(config)#
      
      # Input "config ter" to enter the global mode in which you can configure the firewall.
      
      
      2. Configure the firewall interface. In the global mode, configure the firewall interface that connects to Tencent Cloud.
         interface GigabitEthernet0/0
         nameif outside  # Specify the security domain of the interface.
         security-level 0  # Specify the security domain level of the interface.
         ip address 120.XX.XX.76 255.255.255.252  # Configure the local public IP address of the VPN tunnel.
      
      3. Configure an ISAKMP policy.
         crypto ikev1 enable outside  # Enable IKE on the "outside" interface.
         crypto ikev1 policy 10  # Define the phase 1 negotiation policy for IKEv1. Enter a number between 1-65535. The smaller the number, the higher the priority. The number 10 is used here.
         authentication pre-share  # Set the authentication method to authentication via pre-shared keys.
         encryption AES-128  # Specify the packet encapsulation encryption algorithm for the phase 1 negotiation. It defaults to "AES-128".
         hash MD5  # Set the hash algorithm to “MD5” for the IKE policy. It defaults to "SHA".
         group 2  # Use Diffie-Hellman group 2 for the IKE policy. It defaults to "group 2".
         lifetime 86400  # Specify the SA lifetime. It defaults to "86400" seconds.
      
      4. Configure the pre-shared key.
         tunnel-group 159.XX.XX.242 type ipsec-l2l  # Create a point-to-point IPsec tunnel group.
         tunnel-group 159.XX.XX.242 ipsec-attributes  # Configure the tunnel group attributes, and specify the pre-shared key.
         ikev1 pre-shared-key tencent@123  # Enter letters, numbers or strings as the key, which contains 1-128 characters.
      
      5. Configure the IPsec security protocol.
         crypto ipsec ikev1 transform-set TS esp-aes esp-md5-hmac  # Specify the encryption algorithm and hash algorithm for the phase 2 IPsec negotiation.
      
      6. Configure ACL.
         access-list INTERESTING extended permit ip 172.XX.XX.0 255.255.0.0 10.1.1.0 255.255.255.0  # Configure ACL to capture the data stream of the VPN tunnel.
      
      7. Configure an IPsec policy.
         crypto map CMAP 1 match address INTERESTING  # Use ACL to allow the packets that meet the source or destination IP range requirements of the ACL to flow in the VPN tunnel.
         crypto map CMAP 1 set peer 159.XX.XX.242  # Set the public IP address of the destination VPN to which the IPsec-protected traffic can be forwarded. The public IP address of the Tencent Cloud VPN is used here.
         crypto map CMAP 1 set ikev1 transform-set TS  # Configure an IKEv1 protocol for the crypto map entry.
         crypto map CMAP 1 set security-association lifetime seconds 3600  # Configure a SA lifetime.
      
      8. Apply the IPsec policy.
         rypto map CMAP interface outside  # Apply the crypto map configured in the previous step to the "outside" interface.
      
      9. Configure static routes.
         route outside 10.1.1.0 255.255.255.0 159.XX.XX.242 1  # Route the data of the IP range to be encrypted and protected to the IPsec tunnel, and configure the destination public IP of the VPN tunnel as the next hop.
      
      10. Test the VPN connectivity. You can use the ping command to test the VPN connectivity.
      1. Log in to the command-line interface of the firewall device.
         ssh -p admin@10.XX.XX.56
      
      # Use the SSH command to log in to the configuration interface of the firewall.
      
      User Access Verification
      Username: admin
      Password: ********
      Type help or '?' for a list of available commands.
      
      # Enter the username and password to enter the user mode.
      
      ASA>  
      ASA> en  
      Password: 
      
      # Input "enable" and its password to enter the privileged EXEC mode in which you can view information only.
      
      ASA# conf t   
      ASA(config)#
      
      # Input "config ter" to enter the global mode in which you can configure the firewall.
      
      
      2. Configure the firewall interface. In the global mode, configure the firewall interface that connects to Tencent Cloud.
         interface GigabitEthernet0/0
         nameif outside  # Specify the security domain of the interface.
         security-level 0  # Specify the security domain level of the interface.
         ip address 120.XX.XX.76 255.255.255.252  # Configure the local public IP address of the VPN tunnel.
      
      3. Configure an ISAKMP policy.
          crypto ikev1 policy 10  # Define the phase 1 negotiation policy for IKEv1. Enter a number between 1-65535. The smaller the number, the higher the priority. The number 10 is used here.
          authentication pre-share  # Set the authentication method to authentication via pre-shared keys.
          encryption AES-128  # Specify the packet encapsulation encryption algorithm for the phase 1 negotiation. It defaults to "AES-128".
          hash MD5  # Set the hash algorithm to “MD5” for the IKE policy. It defaults to "SHA".
          group 2  # Use Diffie-Hellman group 2 for the IKE policy. It defaults to "group 2".
          lifetime 86400  # Specify the SA lifetime. It defaults to "86400" seconds.
      
      4. Configure the pre-shared key.
         tunnel-group 159.XX.XX.242 type ipsec-l2l  # Create a point-to-point IPsec tunnel group.
         tunnel-group 159.XX.XX.242 ipsec-attributes  # Configure the tunnel group attributes, and specify the pre-shared key.
          ikev1 pre-shared-key tencent@123  # Enter letters, numbers or strings as the key, which contains 1-128 characters.
      
      5. Configure the IPsec security protocol.
         crypto ipsec ikev1 transform-set TS esp-aes esp-md5-hmac  # Specify the encryption algorithm and hash algorithm for the phase 2 IPsec negotiation.
      
      6. Configure an IPsec policy.
         crypto ipsec profile PROFILE1
         set ikev1 transform-set TS  # Specify an IKEv1 IPSec proposal policy for the crypto map entry.
         set security-association lifetime kilobytes 1843200  # Specify the data stream in kilobytes allowed between source and destination VPNs during the SA lifetime.
         set security-association lifetime seconds 3600  # Set the SA lifetime. The default value is 4,608,000 kilobytes or 28,800 seconds.
      
      7. Apply the IPsec policy.
         interface Tunnel100
         tunnel source interface outside  # Configure the source VPN that comes from the "outside" interface. 
         tunnel destination 159.XX.XX.242  # Configure the public IP address of the destination VPN. The public IP address of Tencent Cloud VPN is used here.
         tunnel mode ipsec ipv4  # Configure the protocol for the tunnel interface.
         tunnel protection ipsec profile PROFILE1  # Use the IPsec policy to protect data passing through the tunnel interface.
      
      8. Configure static routes.
         route vti 10.1.1.0 255.255.255.0 159.XX.XX.242   # Route the packets to be encrypted and protected to the tunnel interface.
      
      9. Test the VPN connectivity. You can use the ping command to test the VPN connectivity.
      1. Log in to the command-line interface of the firewall device.
         ssh -p admin@10.XX.XX.56
      
      # Use the SSH command to log in to the configuration interface of the firewall.
      
      User Access Verification
      Username: admin
      Password: ********
      Type help or '?' for a list of available commands.
      
      # Enter the username and password to enter the user mode.
      
      ASA>  
      ASA> en  
      Password: 
      
      # Input "enable" and its password to enter the privileged EXEC mode in which you can view information only.
      
      ASA# conf t   
      ASA(config)#
      
      # Input "config ter" to enter the global mode in which you can configure the firewall.
      
      
      2. Configure the firewall interface. In the global mode, configure the firewall interface that connects to Tencent Cloud.
         interface GigabitEthernet0/0
         nameif outside  # Specify the security domain of the interface.
         security-level 0  # Specify the security domain level of the interface.
         ip address 120.XX.XX.76 255.255.255.252  # Configure the local public IP address of the VPN tunnel.
      
      3. Configure an ISAKMP policy.
         crypto ikev2 enable outside  # Enable IKEv2 on the "outside" interface.
         crypto ikev1 policy 10  # Define the phase 1 negotiation policy for IKEv2. Enter a number between 1-65535. The smaller the number, the higher the priority. This document uses 10.
         authentication pre-share  # Set the authentication method to authentication via pre-shared keys.
         encryption AES-128  # Specify the packet encapsulation encryption algorithm for the phase 1 negotiation. It defaults to "AES-128".
         integrity MD5  #   # Set the hash  algorithm to “MD5” for the IKE policy. It defaults to "SHA".
         group 2  # Use Diffie-Hellman group 2 for the IKE policy. It defaults to "group 2".
         prf sha # Set the encryption algorithm.
         lifetime seconds 86400  # Set the SA lifetime. It defaults to 86400s.
      
      4. Configure a group policy.
         group-policy group_policy internal  # Set a group policy for devices.
         group-policy group_policy attributes  # Set the group policy attributes.
         vpn-tunnel-protocol ikev2 # Set IKEv2 protocol for vpn-tunnel.
      
      5. Configure the pre-shared key.
         tunnel-group 159.XX.XX.242 type ipsec-l2l  # Create a point-to-point IPsec tunnel group.
         tunnel-group 159.XX.XX.242 general-attributes default-group-policy group_policy  # Apply the group policy defined in the previous step.
         tunnel-group 159.XX.XX.242 ipsec-attributes  # Configure the tunnel group attributes, and specify the pre-shared key.
         ikev2 remote-authentication pre-shared-key tencent@123
         ikev2 local-authentication pre-shared-key tencent@123 # Enter letters, numbers or strings as the key, which contains 1-128 characters.
      
      6. Specify the IPsec protocol.
         crypto ipsec ikev2 ipsec-proposal ikev2_proposal  # Specify the encryption algorithm and hash algorithm for the phase 2 IPsec negotiation.
         protocol esp encryption aes-128  # Configure an encryption algorithm.
         protocol esp integrity sha-1 # Configure an integrity checking algorithm.
      
      7. Configure ACL.
         access-list INTERESTING extended permit ip 172.XX.XX.0 255.255.0.0 10.1.1.0 255.255.255.0  # Configure ACL to capture the data stream of the VPN tunnel.
      
      8. Configure an IPsec policy.
         crypto map CMAP 1 match address INTERESTING  # Use ACL to allow the packets that meet the source or destination IP range requirements of the ACL to flow in the VPN tunnel.
         crypto map CMAP 1 set peer 159.XX.XX.242  # Set the public IP address of the destination VPN to which the IPsec-protected traffic can be forwarded. The public IP address of the Tencent Cloud VPN is used here.
         crypto map CMAP 1 set ikev2 ipsec-proposal ikev2_proposal # Configure an IKEv2 protocol for the crypto map entry.
         crypto map CMAP 1 set security-association lifetime seconds 3600 # Configure a SA lifetime.
         crypto map CMAP 1 set security-association lifetime kilobytes 1843200  # Specify the data stream in kilobytes allowed between source and destination VPNs during the SA lifetime. The default value is 4,608,000 kilobytes, and the default SA lifetime is 28,800 seconds.
      
      9. Apply the IPsec policy.
         rypto map CMAP interface outside  # Apply the crypto map configured in the previous step to the "outside" interface.
      
      10. Configure static routes.
          route outside 10.1.1.0 255.255.255.0 159.XX.XX.242 1  # Route the data of the IP range to be encrypted and protected to the IPsec tunnel, and configure the destination public IP of the VPN tunnel as the next hop.
      
      11. Test the VPN connectivity. You can use the ping command to test the VPN connectivity.
      1. Log in to the command-line interface of the firewall device.
         ssh -p admin@10.XX.XX.56
      
      # Use the SSH command to log in to the configuration interface of the firewall.
      
      User Access Verification
      Username: admin
      Password: ********
      Type help or '?' for a list of available commands.
      
      # Enter the username and password to enter the user mode.
      
      ASA>  
      ASA> en  
      Password: 
      
      # Input "enable" and its password to enter the privileged EXEC mode in which you can view information only.
      
      ASA# conf t   
      ASA(config)#
      
      # Input "config ter" to enter the global mode in which you can configure the firewall.
      
      
      2. Configure the firewall interface. In the global mode, configure the firewall interface and tunnel interface used to connect Tencent Cloud.
         interface GigabitEthernet0/0
         nameif outside  # Specify the security domain of the interface.
         security-level 0  # Specify the security domain level of the interface.
         ip address 120.XX.XX.76 255.255.255.252  # Configure the public IP address of the Tencent Cloud VPN to connect.
         interface Tunnel100
         nameif vti
         ip address 172.XX.XX.2 255.255.255.0 # Set an IP address to activate the tunnel interface.
      
      3. Configure an ISAKMP policy.
         crypto ikev2 policy 1  # Define the phase 1 negotiation policy for IKEv2. Enter a number between 1-65535. The smaller the number, the higher the priority. The number 1 is used here.
         encryption AES-128  # Set "AES-128" as the packet encapsulation encryption algorithm for the phase 1 negotiation. It defaults to "AES-128".
         integrity MD5  /# Set the hash algorithm to “MD5” for the IKE policy. It defaults to “SHA”.
         group 2  # Use Diffie-Hellman group 2 for the IKE policy. It defaults to "group 2".
         prf sha # Configure the encryption algorithm.
         lifetime seconds 86400  # Configure the SA lifetime (namely, lifecycle). It defaults to 86400s.
      
      4. Configure a group policy.
         group-policy group_policy internal  # Set a group policy for devices.
         group-policy group_policy attributes  # Set the group policy attributes.
         vpn-tunnel-protocol ikev2 # Set IKEv2 protocol for vpn-tunnel.
      
      5. Configure the pre-shared key.
         tunnel-group 159.XX.XX.242 type ipsec-l2l  # Create a point-to-point IPsec tunnel group.
         tunnel-group 159.XX.XX.242 general-attributes default-group-policy group_policy  # Apply the group policy defined in the previous step.
         tunnel-group 159.XX.XX.242 ipsec-attributes  # Configure the tunnel group attributes, and specify the pre-shared key.
         ikev2 remote-authentication pre-shared-key tencent@123
         ikev2 local-authentication pre-shared-key tencent@123 # Enter letters, numbers or strings as the key, which contains 1-128 characters.
      
      6. Specify the IPsec protocol.
         crypto ipsec ikev2 ipsec-proposal ikev2_proposal  # Specify the encryption algorithm and hash algorithm for the phase 2 IPsec negotiation.
         protocol esp encryption aes-128  # Specify an encryption algorithm.
         protocol esp integrity sha-1 # Specify an integrity checking algorithm.
      
      7. Configure an IPsec policy.
         crypto ipsec profile PROFILE1
         set ikev2 ipsec-proposal ikev2_proposal  # Configure an IKEv2 protocol for the crypto map entry.
         set security-association lifetime kilobytes 1843200  # Specify the data stream in kilobytes allowed between source and destination VPNs during the SA lifetime.
         set security-association lifetime seconds 3600  # Set the SA lifetime. The default value is 4,608,000 kilobytes or 28,800 seconds.
      
      8. Apply the IPsec policy.
         interface Tunnel100
         tunnel source interface outside  # Configure the source VPN that comes from the "outside" interface. 
         tunnel destination 159.XX.XX.242  # Configure the public IP address of the destination VPN. The public IP address of Tencent Cloud VPN is used here.
         tunnel mode ipsec ipv4  # Configure the protocol for the tunnel interface.
         tunnel protection ipsec profile PROFILE1  # Use the IPsec policy to protect data passing through the tunnel interface.
      
      9. Configure static routes.
         route vti 10.1.1.0 255.255.255.0 159.XX.XX.242   # Route the packets to be encrypted and protected to the tunnel interface.
      
      10. Test the VPN connectivity. You can use the ping command to test the VPN connectivity.
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy